It has become increasingly important for developers (e.g., software component developers, such as application and operating system developers) to ensure data confidentiality and integrity for programs that involve sensitive data, particularly in the face of sophisticated security threats. Software vulnerabilities, whether benign software code defects (e.g., bugs) or exploitable software code (e.g., buffer overflows, format string vulnerabilities and/or the like), may cause problems for a software vendor's valued customers. A typical program executes software code at a same privilege level where security-sensitive and non-security-sensitive program elements are vulnerable to malicious/fraudulent activities, such as sensitive/critical data extraction or alteration. An intrusion into one program element enables entry into any other component. For these reasons, the developers continually work at preventing malicious software attacks, intrusions and other forms of fraudulent electronic activity via the software vulnerabilities.
A trusted computing base (TCB) of a computing environment/system is the set of hardware, firmware, and/or software components (e.g., operating system components, device drivers, hypervisors and/or the like) that are significant in ensuring security including data confidentiality and integrity, in the sense that any software vulnerability associated with the trusted computing base may jeopardize the security of the entire computing environment. Characteristics related to size and complexity of software programs render typical trusted computing bases impractical to analyze for the software vulnerabilities.
Due to the hierarchical privilege structure of the computing environment, programs that operate on such trusted computing bases may inherit these software vulnerabilities and/or may further provide additional vulnerabilities when such programs (e.g., virtual machine monitors, security-sensitive applications and/or the like) also run as privileged software code (e.g., a privileged process mode, such as kernel mode or hypervisor mode). Software code associated with such privileged programs adds to a size of the trusted computing base.
Various code-partitioning schemes provide security by dividing the program into trusted and untrusted portions in which the trusted portions form a portion of the trusted computing base and run at a different privilege level than the untrusted portions. The trusted portions that are large in size provide a considerable number of opportunities for malicious attacks and reduce the benefits and practicality of executing these portions in a separate execution environment with a different privilege level. Large amounts of trusted code also inhibit any meaningful examination as to correctness. Furthermore, the code-partitioning schemes often require substantially manual tasks that prove to be error-prone and slow.